asyncrat | ea251bf7fcc0a42cb9e954a45d925ef379ef1ffca39e482f44af701b4ace8560

Windows Service

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000000b3e2-113.dat	family_stormkitty
behavioral1/memory/776-270-0x0000000001370000-0x00000000013A0000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000300000000b3e2-113.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2992	powershell.exe
896	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 3 IoCs

flow	pid	Process
33	2528	ywquammebid.exe
35	2528	ywquammebid.exe
29	2528	ywquammebid.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	smbhost.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
2292	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GoogleUpdateTaskMachineQC\ImagePath = "C:\\ProgramData\\Google\\Chrome\\updater.exe"	services.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
2528	ywquammebid.exe
776	UIServices.exe
2820	smbhost.exe
944	SearchUI.exe
1920	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 19 IoCs

pid	Process
1804	services.png.exe
1804	services.png.exe
1804	services.png.exe
1804	services.png.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
476	services.exe
476	services.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Viati = "C:\\Users\\Admin\\AppData\\Roaming\\Fuyclyizy\\ywquammebid.exe"	ywquammebid.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\c02199669cf74979f2f2c3a9189c6864\Admin@KHBTHJFA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	UIServices.exe
File opened for modification	C:\Users\Admin\AppData\Local\c02199669cf74979f2f2c3a9189c6864\Admin@KHBTHJFA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\c02199669cf74979f2f2c3a9189c6864\Admin@KHBTHJFA_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	UIServices.exe
File opened for modification	C:\Users\Admin\AppData\Local\c02199669cf74979f2f2c3a9189c6864\Admin@KHBTHJFA_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\c02199669cf74979f2f2c3a9189c6864\Admin@KHBTHJFA_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\c02199669cf74979f2f2c3a9189c6864\Admin@KHBTHJFA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	UIServices.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
352	powercfg.exe
1988	powercfg.exe
1980	powercfg.exe
2156	powercfg.exe
2284	powercfg.exe
2780	powercfg.exe
2352	powercfg.exe
2148	powercfg.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	smbhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\wbem\Logs\wmiprov.log	wmiprvse.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2000	tasklist.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 776 set thread context of 2424	776	UIServices.exe	44
PID 2424 set thread context of 2748	2424	cmd.exe	46
PID 2424 set thread context of 2452	2424	cmd.exe	47
PID 2424 set thread context of 2088	2424	cmd.exe	48
PID 776 set thread context of 1604	776	UIServices.exe	49
PID 1604 set thread context of 1668	1604	cmd.exe	51
PID 1604 set thread context of 2088	1604	cmd.exe	52
PID 2820 set thread context of 1320	2820	smbhost.exe	76
PID 1920 set thread context of 2932	1920	updater.exe	110
PID 1920 set thread context of 2160	1920	updater.exe	114
PID 1920 set thread context of 696	1920	updater.exe	116

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019f62-1473.dat	upx
behavioral1/memory/2528-1475-0x0000000003F80000-0x0000000003F8F000-memory.dmp	upx
behavioral1/memory/2528-1496-0x0000000003F80000-0x0000000003F8F000-memory.dmp	upx
behavioral1/memory/944-1501-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
264	sc.exe
2568	sc.exe
2936	sc.exe
2560	sc.exe
1704	sc.exe
2760	sc.exe
3016	sc.exe
2804	sc.exe
1576	sc.exe
2648	sc.exe
300	sc.exe
1508	sc.exe
2968	sc.exe
2732	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.png.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywquammebid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HOSTNAME.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UIServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2424	cmd.exe
2452	netsh.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SearchUI.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SearchUI.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "Intel(R) Core(TM) i7-8750H CPU @ 5.00 GHz"	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	UIServices.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	UIServices.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UIServices.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1704	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Privacy	UIServices.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	UIServices.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40d71317c773db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ywquammebid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ywquammebid.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\1033483A-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1804	services.png.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
776	UIServices.exe
776	UIServices.exe
776	UIServices.exe
776	UIServices.exe
776	UIServices.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
2820	smbhost.exe
896	powershell.exe
2820	smbhost.exe
2820	smbhost.exe
2820	smbhost.exe
2820	smbhost.exe
2820	smbhost.exe
2820	smbhost.exe
2820	smbhost.exe
2820	smbhost.exe
2820	smbhost.exe
2820	smbhost.exe
2820	smbhost.exe
2820	smbhost.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe
2820	smbhost.exe
2528	ywquammebid.exe
2528	ywquammebid.exe
1320	dialer.exe
1320	dialer.exe
2820	smbhost.exe
2820	smbhost.exe
2820	smbhost.exe
1920	updater.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe
1320	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1804	services.png.exe
Token: SeSecurityPrivilege	1804	services.png.exe
Token: SeSecurityPrivilege	1804	services.png.exe
Token: SeSecurityPrivilege	1804	services.png.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe
Token: SeSecurityPrivilege	2528	ywquammebid.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2940	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2940	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2940	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2528	1804	services.png.exe	30
PID 1804 wrote to memory of 2528	1804	services.png.exe	30
PID 1804 wrote to memory of 2528	1804	services.png.exe	30
PID 1804 wrote to memory of 2528	1804	services.png.exe	30
PID 2528 wrote to memory of 1100	2528	ywquammebid.exe	19
PID 2528 wrote to memory of 1100	2528	ywquammebid.exe	19
PID 2528 wrote to memory of 1100	2528	ywquammebid.exe	19
PID 2528 wrote to memory of 1100	2528	ywquammebid.exe	19
PID 2528 wrote to memory of 1100	2528	ywquammebid.exe	19
PID 2528 wrote to memory of 1160	2528	ywquammebid.exe	20
PID 2528 wrote to memory of 1160	2528	ywquammebid.exe	20
PID 2528 wrote to memory of 1160	2528	ywquammebid.exe	20
PID 2528 wrote to memory of 1160	2528	ywquammebid.exe	20
PID 2528 wrote to memory of 1160	2528	ywquammebid.exe	20
PID 2528 wrote to memory of 1188	2528	ywquammebid.exe	21
PID 2528 wrote to memory of 1188	2528	ywquammebid.exe	21
PID 2528 wrote to memory of 1188	2528	ywquammebid.exe	21
PID 2528 wrote to memory of 1188	2528	ywquammebid.exe	21
PID 2528 wrote to memory of 1188	2528	ywquammebid.exe	21
PID 2528 wrote to memory of 1440	2528	ywquammebid.exe	23
PID 2528 wrote to memory of 1440	2528	ywquammebid.exe	23
PID 2528 wrote to memory of 1440	2528	ywquammebid.exe	23
PID 2528 wrote to memory of 1440	2528	ywquammebid.exe	23
PID 2528 wrote to memory of 1440	2528	ywquammebid.exe	23
PID 2528 wrote to memory of 1804	2528	ywquammebid.exe	29
PID 2528 wrote to memory of 1804	2528	ywquammebid.exe	29
PID 2528 wrote to memory of 1804	2528	ywquammebid.exe	29
PID 2528 wrote to memory of 1804	2528	ywquammebid.exe	29
PID 2528 wrote to memory of 1804	2528	ywquammebid.exe	29
PID 2528 wrote to memory of 688	2528	ywquammebid.exe	33
PID 2528 wrote to memory of 688	2528	ywquammebid.exe	33
PID 2528 wrote to memory of 688	2528	ywquammebid.exe	33
PID 2528 wrote to memory of 688	2528	ywquammebid.exe	33
PID 2528 wrote to memory of 688	2528	ywquammebid.exe	33
PID 2528 wrote to memory of 1924	2528	ywquammebid.exe	34
PID 2528 wrote to memory of 1924	2528	ywquammebid.exe	34
PID 2528 wrote to memory of 1924	2528	ywquammebid.exe	34
PID 2528 wrote to memory of 1924	2528	ywquammebid.exe	34
PID 1924 wrote to memory of 788	1924	cmd.exe	36
PID 1924 wrote to memory of 788	1924	cmd.exe	36
PID 1924 wrote to memory of 788	1924	cmd.exe	36
PID 1924 wrote to memory of 788	1924	cmd.exe	36
PID 1924 wrote to memory of 1704	1924	cmd.exe	37
PID 1924 wrote to memory of 1704	1924	cmd.exe	37
PID 1924 wrote to memory of 1704	1924	cmd.exe	37
PID 1924 wrote to memory of 1704	1924	cmd.exe	37
PID 1924 wrote to memory of 2000	1924	cmd.exe	38
PID 1924 wrote to memory of 2000	1924	cmd.exe	38
PID 1924 wrote to memory of 2000	1924	cmd.exe	38
PID 1924 wrote to memory of 2000	1924	cmd.exe	38
PID 1924 wrote to memory of 2292	1924	cmd.exe	39
PID 1924 wrote to memory of 2292	1924	cmd.exe	39
PID 1924 wrote to memory of 2292	1924	cmd.exe	39
PID 1924 wrote to memory of 2292	1924	cmd.exe	39
PID 1924 wrote to memory of 2944	1924	cmd.exe	40
PID 1924 wrote to memory of 2944	1924	cmd.exe	40
PID 1924 wrote to memory of 2944	1924	cmd.exe	40
PID 1924 wrote to memory of 2944	1924	cmd.exe	40
PID 2944 wrote to memory of 2696	2944	net.exe	41
PID 2944 wrote to memory of 2696	2944	net.exe	41
PID 2944 wrote to memory of 2696	2944	net.exe	41
PID 2944 wrote to memory of 2696	2944	net.exe	41
PID 2528 wrote to memory of 776	2528	ywquammebid.exe	42
PID 2528 wrote to memory of 776	2528	ywquammebid.exe	42

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1440
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    - Drops file in System32 directory
    PID:756
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:664
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
    3⤵
    PID:688
- - C:\Program Files\Windows Mail\WinMail.exe
    "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
    3⤵
    - NTFS ADS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2940
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:744
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1160
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  PID:848
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:108
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1020
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1060
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1100
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1712
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1964
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:772
- C:\ProgramData\Google\Chrome\updater.exe
  C:\ProgramData\Google\Chrome\updater.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1920
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2892
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:300
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1508
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3016
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2732
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2804
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:352
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:1988
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1980
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2156
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2932
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2160
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Modifies data under HKEY_USERS
    PID:696

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\services.png.exe
  "C:\Users\Admin\AppData\Local\Temp\services.png.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Roaming\Fuyclyizy\ywquammebid.exe
    "C:\Users\Admin\AppData\Roaming\Fuyclyizy\ywquammebid.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\SysWOW64\HOSTNAME.EXE
        
        hostname
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:788
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1704
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2000
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2292
    - - C:\Windows\SysWOW64\net.exe
        
        net share
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\tmpb87cf536\UIServices.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpb87cf536\UIServices.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      PID:776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2424
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2452
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1604
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\tmp5fc2b8f4\smbhost.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp5fc2b8f4\smbhost.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2820
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:896
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:880
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:2356
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:264
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1704
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2568
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:1576
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2936
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:2284
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        
        PID:2780
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:2352
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:2148
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1320
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:2968
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:2648
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:2560
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:2760
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp5fc2b8f4\smbhost.exe"
        5⤵
        
        PID:1120
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\tmp6c8703be\SearchUI.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp6c8703be\SearchUI.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "841215402-1103076719-1868372208771985712-81307184817887245751619752628-1252520816"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "75873672-6539417034278052941440520146-662840111-1459161173-1290124517983263807"
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9611305661503684569-10721818251571207513-1902898541-1814588456-1216617637-1220528118"
1⤵
PID:2616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3125071951157382596682322215-1547760031343793608-7319317141517674496-530040815"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18527479759104999451011739969-483625001232579143-158765822142400735-673802402"
1⤵
PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1821721023112856662-545537562-1357626704-20138830358206235575396965981668603836"
1⤵
PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-202554393809173408-1003446540-7858277352034527774-829233011824694957-1680441723"
1⤵
PID:1276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15043945951835073613-579452866511167771420233137129170366110595858012015676139"
1⤵
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18010193791897038160-7767670302085802001-350807489-1802522166-2087375314-381818314"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "565086969-1841902522325075000-18577559141098821092-1218529199-1028514191561591007"
1⤵
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "421798447749941276-1241432036-13884893352113730328-1399743508-18523868831071296075"
1⤵
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16497283646094901691567157748-1409937679-1521983310-7004962871155756101-571068448"
1⤵
PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-57917438515821474931566373543-322396246-1994307536-1562736092460152119-2006217143"
1⤵
PID:264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18960617021065031053-1657401835-6689972981185618850142660905520009419721219443539"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1370914616-2091968517-2077985400188783117018157134062026827130-6874543031835970897"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-295124016-65843619778807711-743772807834374048-10592273221340712453109003069"
1⤵
PID:2208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "437649168487831885-193196024672738775517294502952001609576-917905604-84141426"
1⤵
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry